diff --git a/enscript-CVE-2008-3863+CVE-2008-4306.patch b/enscript-CVE-2008-3863+CVE-2008-4306.patch new file mode 100644 index 0000000..f027fc4 --- /dev/null +++ b/enscript-CVE-2008-3863+CVE-2008-4306.patch @@ -0,0 +1,90 @@ +--- src/psgen.c ++++ src/psgen.c 2008-10-29 10:43:08.512598143 +0100 +@@ -24,6 +24,7 @@ + * Boston, MA 02111-1307, USA. + */ + ++#include + #include "gsint.h" + + /* +@@ -124,7 +125,7 @@ struct gs_token_st + double xscale; + double yscale; + int llx, lly, urx, ury; /* Bounding box. */ +- char filename[512]; ++ char filename[PATH_MAX]; + char *skipbuf; + unsigned int skipbuf_len; + unsigned int skipbuf_pos; +@@ -135,11 +136,11 @@ struct gs_token_st + Color bgcolor; + struct + { +- char name[512]; ++ char name[PATH_MAX]; + FontPoint size; + InputEncoding encoding; + } font; +- char filename[512]; ++ char filename[PATH_MAX]; + } u; + }; + +@@ -248,7 +249,7 @@ static int do_print = 1; + static int user_fontp = 0; + + /* The user ^@font{}-defined font. */ +-static char user_font_name[256]; ++static char user_font_name[PATH_MAX]; + static FontPoint user_font_pt; + static InputEncoding user_font_encoding; + +@@ -978,7 +979,8 @@ large for page\n"), + FATAL ((stderr, + _("user font encoding can be only the system's default or `ps'"))); + +- strcpy (user_font_name, token.u.font.name); ++ memset (user_font_name, 0, sizeof(user_font_name)); ++ strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1); + user_font_pt.w = token.u.font.size.w; + user_font_pt.h = token.u.font.size.h; + user_font_encoding = token.u.font.encoding; +@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To + buf[i] = ch; + if (i + 1 >= sizeof (buf)) + FATAL ((stderr, _("too long argument for %s escape:\n%.*s"), +- escapes[i].name, i, buf)); ++ escapes[e].name, i, buf)); + } + buf[i] = '\0'; + +@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To + switch (escapes[e].escape) + { + case ESC_FONT: +- strcpy (token->u.font.name, buf); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1); + + /* Check for the default font. */ + if (strcmp (token->u.font.name, "default") == 0) +@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To + FATAL ((stderr, _("malformed font spec for ^@font escape: %s"), + token->u.font.name)); + +- strcpy (token->u.font.name, cp); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1); + xfree (cp); + } + token->type = tFONT; +@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To + break; + + case ESC_SETFILENAME: +- strcpy (token->u.filename, buf); ++ memset (token->u.filename, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1); + token->type = tSETFILENAME; + break; diff --git a/enscript.spec b/enscript.spec index 29eba84..c150459 100644 --- a/enscript.spec +++ b/enscript.spec @@ -1,7 +1,7 @@ Summary: A plain ASCII to PostScript converter. Name: enscript Version: 1.6.4 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2 Group: Applications/Publishing Source0: http://www.iki.fi/mtr/genscript/enscript-%{version}.tar.gz @@ -18,6 +18,7 @@ Patch7: enscript-1.6.1-CAN-2004-1186.patch Patch8: enscript-wrap_header.patch Patch9: enscript-1.6.4-rh457719.patch Patch10:enscript-1.6.4-rh457720.patch +Patch11:enscript-CVE-2008-3863+CVE-2008-4306.patch URL: http://www.codento.com/people/mtr/genscript/ Prereq: /sbin/install-info BuildRoot: %{_tmppath}/%{name}-%{version}-root @@ -41,6 +42,7 @@ includes many options for customizing printouts. %patch8 -p1 -b .wrap_header %patch9 -p1 -b .rh457719 %patch10 -p1 -b .rh457720 +%patch11 -p0 -b .CVE-2008-3863+CVE-2008-4306 %{__tar} -C states/hl -zxf %{SOURCE1} ruby.st install -pm 644 %{SOURCE2} states/hl/php.st @@ -94,6 +96,9 @@ fi %changelog +* Mon Nov 03 2008 Adam Tkac 1.6.4-11 +- fixed various buffer overflows (CVE-2008-3863, CVE-2008-4306) + * Fri Aug 08 2008 Adam Tkac 1.6.4-10 - updated patches due rpm 4.6 - enscript -w is handled well (#457719)